physical security of sensitive compartmented information ... · pdf filephysical security of...

Physical Security ofSensitive CompartmentedInformation Facilities (SCIF)NAVFAC Northwest

Presented by: Richard Cofer, P.E.

Naval Facilities Engineering Command Atlantic Capital Improvements Business Line

Engineering Criteria and Programs

August 2017

3 UNCLASSIFIED Aug 2017

• THIS IS AN INTRODUCTION TO SENSITIVE COMPARTMENTED INFORMATION FACILITIES (SCIF) AND IS NOT INTENDED TO BE A STEP-BY-STEP GUIDE ON SCIF PLANNING, DESIGN, OR CONSTRUCTION.

• WORK CLOSELY WITH THE DESIGNATED SITE SECURITY MANAGER (SSM) TO DETERMINE THE SPECIFIC REQUIREMENTS FOR EACH PROJECT.

• BOTTOM LINE: PLAN, PROGRAM, DESIGN, AND CONSTRUCT EACH SCIF ON A PROJECT BY PROJECT BASIS.


A SCIF is an area, room, or building, where sources and methods, including Sensitive Compartmented Information (SCI), is stored, used, processed, or discussed.

SCIF Definition

–Typically found in:• Command Headquarters

• Operation Centers

• Communication Centers


Sensitive Compartmented Information (SCI) is classified Secret or Top Secret information that is derived from intelligence sources, methods or analytical processes

Sensitive Compartmented Information

• SCI can only be handled, processed, discussed, or stored in an accredited Sensitive Compartmented Information Facilities (SCIF).


• Intelligence Community Directive (ICD) 705 Sensitive Compartment Information Facilities

• Intelligence Community Standard Number 705-1 (ICS 705-1) Physical and Technical Security Standards for Sensitive Compartmented Information Facilities

• Intelligence Community Standard Number 705-2 (ICS 705-2) Standards for the Accreditation and Reciprocal Use of Sensitive Compartmented Information

• IC Tech Spec-for ICD/ICS 705: Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities (Version 1.3, note: 1.4 is coming)

• DoDM 5105.21-Vol 1-3, Sensitive Compartmented Information (SCI) Administrative Security Manual– Does not apply to the National Security Agency/Central Security Service

(NSA/CSS), National Geospatial-Intelligence Agency (NGA), and the National Reconnaissance Office (NRO).

Policy


• Special Access Program Facility (SAPF).– An accredited area, room, group of rooms, building, or installation where

SAP materials may be stored, used, discussed, manufactured, or electronically processed. When required, SAPF provide an operational capability that is critical to the supported command’s mission

• DODM 5205.07 Volume 3, DoD Special Access Program (SAP) Security Manual: Physical Security – The physical security safeguards established in the Office of the National

Counterintelligence Executive Technical Specifications (IC Tech Spec-for ICD/ICS 705) and Intelligence Community Directive 705 (ICD 705) are the physical standards for protection of SAP information. Construction of SAPFs, T-SAPFs, SAPCAs¸ SAPWAs, and SAPTSWAs will conform to the equivalent sensitive compartmented information facility (SCIF), T-SCIF, CA, SWA, TSWA, as defined in IC Tech Spec-for ICD/ICS 705, unless variations

are specifically noted in this volume.

Policy


• As a design and construction agent for the Department of Defense, it is imperative that we understand the requirements contained in DoDM 5105.21-Vol 1-3, ICS 705-1 and the associated documents and include them in project requirements.

• ICD/ICS Documents affect :– Planning– RFP Development– Design– Construction– Accreditation

Responsibilities


UFC 4-010-05 Sensitive Compartmented Information Facilities PLANNING, DESIGN, AND CONSTRUCTION

• PURPOSE: To provide unified criteria and make the planning, design and construction communities aware of SCIF policy requirements and ensure appropriate implementation.

• PREPARING ACTIVITY: NAVFAC

– Point of contact: Richard Cofer

– Author: Richard Cofer

• CURRENT DOCUMENT STATUS:

– Published February 2013, Available on the Whole Building Design Guide Website (www.wbdg.org)

– Change 1 Published 1 October 2013

– Change 2 in progress


ECB 2017-03: Design and Construction Requirements for Sensitive Compartmented Information Facilities

• PURPOSE: Provide NAVFAC policy on Department of the Navy SCIF design and construction requirements, referenced in SCIF policy

• PREPARING ACTIVITY: NAVFAC– This document was coordinated with SSO

Navy, NAVFAC Asset Management (AM), and U.S. Marine Corps. Points of contact:

– NAVFAC CI: Richard Cofer

– NAVFAC AM: Mr. Mike Bryan, NAVFAC HQ

– USMC HQ: Mr. Brian Sanders, Headquarters Marine Corps

– SSO Navy: Roland L. Lohr, SSO Navy, Head, Accreditation & Physical Security Division Intel Protection & Oversight

• DOCUMENT STATUS:– Published May 2017 on the NAVFAC Portal, Effective Immediately


Classifications of SCIF

• There are six classifications:– Secure Working Area (SWA) - Area where SCI is

handled, discussed, and/or processed but not stored.

– Temporary Secure Working Area (TSWA) - Secure working area used less than 40 hours per month.

– Temporary SCIF - limited time to meet tactical, emergency, or immediate operational requirements.

– Open Storage - SCI openly stored and processed.

– Closed Storage - SCI material stored in GSA approved storage containers.

– Continuous Operation - Staffed and operated 24/7


Classifications of SCIF

• Closed Storage: – SCI material are stored in GSA approved storage

containers when not in use. • This includes documents, computer hard drives, and

storage media.

• Open Storage:– SCI may be openly stored and processed and may be

left out when not in use.

• Continuous Operation:– Staffed and operated 24/7. Depending on operational

procedures, SCI documents may be left out or stored when not in use.


Compartmented Area (CA) is a room, a set of rooms, or an area that provides controlled separation between the compartments within a SCIF.

Compartmented Area (CA)


When is a Sensitive Compartmented Information Facilities (SCIF) needed?

• Per DoDM 5105.21-Volume 2:– The concept approval is the first critical element in the

establishment of a SCIF.

– Once a need for SCI has been identified, the organization’s commander will submit a request for SCI to the Service CSAs, their designees, or DoD Component SIOs.

– Concept approval certifies that a clear operational requirement exists for the SCIF and there is no existing SCIF to support the requirement.

– The Service CSAs, their designees, or DoD Component SIOs are required to grant concept approval to establish a SCIF.

• Without the CAR approval, the Supported Command is not authorized to initiate a SCIF project.– When a command tells NAVFAC they want a SCIF, first question should

be, do you an approved CAR?


Site Security Manager (SSM)

• Per DoDM 5105.21-Volume 2:–An SCI-indoctrinated site security manager

(SSM) shall be designated by the component SSO for each new construction or renovation project.

–The SSM represents the organization constructing or renovating the SCIF for all security matters to both the construction firm and the AO.

• The “organization” is not NAVFAC, the “organization” is the command submitting the CAR.


Determining Project Requirements

• The SSM is responsible for all security requirements for the SCIF.

• SSM is responsible for assembling and submitting documents for AO approval. Documents include, but not be limited to:

– Construction Security Plan

– Fixed Facility Checklist

– TEMPEST addendum

– When applicable, waiver request packages.


Construction Security Plan (CSP)

• Each SCIF construction project shall have a CSP. The CSP:– Developed by the SSM and approved by the AO.

– Addresses the application of security to SCIF planning, design, and construction.

– Format and content is based on extent of SCIF construction and security concerns.

• Policy states the CSP must be approved prior to construction. TOO LATE! – A preliminary CSP must be developed during the planning phase

to capture the scope and cost associated with security.

– CSP must be finalized and approved during design phase.


Fixed Facility Checklist (FFC)

• The FFC is a standardized document used in the process of SCIF accreditation.

– The FFC documents physical, technical, and procedural security information for obtaining an initial or subsequent accreditation.

• To support the accreditation process, the Planner, Designer of Record, Project Manager, and Construction Manger may have to provide the SSM site plans, building floorplans, IDS plans, and other information related to perimeter and compartment area wall construction, doors, locks, deadbolts, Electronic Security System (ESS), telecommunication systems, acoustical protection, and TEMPEST countermeasures.


TEMPEST Countermeasure Review (TCR)

• Each SCIF requires a TEMPEST countermeasures review (TCR), performed by Certified TEMPEST Technical Authority (CTTA), as part of the SCIF construction process. – The local SSO will use the TEMPEST addendum to the FFC to

request a TCR.

– The addendum will be submitted during the planning phase of the construction.

• While some specific information may not be known prior to construction, as much information as possible must be provided in order to minimize costly changes.

• These TEMPEST countermeasures are based upon risk management principles using factors such as location, volume of information processed, sensitivity, and perishability of information, physical control, and the TEMPEST profile of equipment used.


SCIF Construction and Design: United States

• SCIF construction and design shall be performed by U.S. companies using U.S. citizens or U.S. persons.

– U.S. person: An individual who has been lawfully admitted for permanent residence as defined in 8 U.S.C. 1101(a)(20) or who is a protected individual as defined by Title 8 U.S.C. 1324b (a)(3), and able to provide two forms of identification listed on Department of Homeland Security Form I-9, Employment Eligibility Verification.

• Intrusion Detection System (IDS) installation and testing shall be performed by U.S. companies using U.S. citizens.

• The AO shall ensure mitigations are implemented when using non-U.S. citizens. These mitigations shall be documented in the CSP.


SCIF Construction and Design: Outside United States

• SCIF design shall be performed by U.S. companies using U.S. citizens or U.S. persons.

• General SCIF construction shall be performed by U.S. companies using U.S. citizens. – On military facilities, the AO may authorize foreign

national citizens or companies to perform general construction of SCIFs. In this situation, the SSM shall prescribe, with AO approval, mitigating strategies. These mitigations shall be documented in the CSP.



• U.S. Top Secret-cleared personnel shall perform finish work in SETL Category I and II countries.

• U.S. Secret-cleared personnel shall perform finish work in Category III countries escorted or other mitigations are applied as documented in the CSP.– Finish work is defined as closing up walls structures,

installing, floating, taping, and sealing wallboard, installing trim, chair rail, molding, flooring, painting, etc.


• Intrusion Detection System (IDS) installation and testing shall be performed by personnel who are U.S. TOP SECRET-cleared or U.S. SECRET-cleared and escorted by SCIF personnel.



Construction Security

• For locations outside the United States, the AO may also impose procedures for the procurement, shipping, and storing of construction materials at the site.

• In addition, the AO may require access control to the construction materials and the SCIF construction area. Since these additional security measures may have significant cost impacts on project, they must be determined during project development.

These procedures must be documented in the Construction Security Plan (CSP).


Information Security

• Construction plans and all related documents shall be handled and protected in accordance with the Construction Security Plan

• Do not identify SCIF locations on planning or construction documents

• With accrediting official’s approval, areas may be identified as “secure area” or “controlled area”


SCIF Security Requirements

• Where a SCIF is located (threat), its classification, security-in-depth, and how it is operated will determine the security requirements.

• For overseas SCIF, AO uses the Department of State (DoS) Security Environment Threat List (SETL) for the threat ratings.

– The DoS SETL and its contents are Classified Secret.


Information Security

• Under no circumstances shall plans or diagrams that are identified for SCI be sent or posted on unprotected information technology systems or Internet venue without encryption.

• Department of State (DoS) Security Environment Threat List (SETL) is classified Secret information.

– Planners, Project Managers, Designers, and contractors may not need to know SETL Category, but they do need to know the resulting mitigation.

– Do not include the DoS SETL or the SETL Category in project documentation.

– Do not send or post DoS SETL information on unclassified information technology systems.


SCIF Phases

Planning

Design

Construction

Accreditation


Planning Team

• Establish an interdisciplinary planning team with local considerations to include the following:– Planning

– Supported Command

– Site Security Manager (SSM)

– Communications

– Security

– Engineering

– Cultural resources (if historical building)

• Planning team must work together to determine and document the minimum & enhanced security requirements.


• Planner must work closely with the supported command and the AO’s representative (SSM) to determine the requirements for each SCIF.

• The SSM, AO and the Certified TEMPEST Technical Authority (CTTA) use risk management to determine project requirements. – Analytical risk management is the process of assessing

threats against vulnerabilities and implementing security enhancements to achieve the protection of information and resources at an acceptable level of risk, and within acceptable cost.



• To determine project requirements the AO/SSM will consider factors such as:


– SCIF Classification– SCIF Location– Threat– Vulnerabilities– Security in Depth– Type and amount of

classified information being processed

– TEMPEST Review– Cost**– Risk ** Design and Construction Agent needs to make sure

the AO/SSM understands the cost



• The NAVFAC Facility Planner assigned to the project must assist the SSM in documenting the facility and site requirements necessary for the preparation of these documents. – The SSM will send the preliminary versions to the AO via the

RSSO for review.

• Upon review of the preliminary CSP, the AO will issue an approval or acknowledgment message along with the SCIF identification number (SCIF ID). – This is considered the AO's Concept Design Approval.

– If an acknowledgment message is sent, it will contain guidance that the SSM must be incorporated into the CSP and the project.


Space Configuration

• If a facility has more than one SCIF, consideration should be given to consolidate into one SCIF with compartmented areas within. – Any consolidation of spaces will reduce accrediting

requirements, initial cost, and the sustainment costs associated with infrastructure and electronic security systems

• This must be coordinated with Supported Command and SSM to insure configuration will meet operational and compartmented requirements.


Historic Preservation

• In a SCIF, every effort should be made to minimize or eliminate windows, especially on the ground floor.

• Windows and doors shall be protected against forced entry and meet the requirements for the SCIF perimeter which may include visual, acoustic and TEMPEST mitigation.

• State Historic Preservation Officers (SHPO) may consider window and door modifications to have an adverse effect but may allow if the impact is minimized and the effect mitigated.

• Planners will need to consult with the State Historic Preservation Office (SHPO) to determine options that meet security requirements and are compatible with the Secretary of the Interior's Standards for Rehabilitation.


SCIF Security Requirements

• Additional considerations that may effect the design and construction are sound ratings of the SCIF perimeter and if TEMPEST countermeasures are required.

• Any areas designated as non-discussion? Ex: stair wells, vestibules, storage area.

• What areas will have amplified discussion? (Speakerphones, Video Teleconferencing, or Conference Rooms) What areas will have non-amplified discussion?

• Is there equipment that will be processing national security information (NSI) such as computers, faxes, and printers?

• Again, sound ratings and TEMPEST requirements must be determined, documented, and budgeted for during the planning process!


Planning SCIF Security Requirements

• Work with the supported command and the SCIF Accrediting Official to determine and document the classification, operation, and resulting protective measures for each SCIF.

– Is the SCIF the entire facility or an area within the building?

– Will there be more than one SCIF, if so how many?

– What is the classification of each SCIF?

– Will the SCIF perimeter wall be standard, enhanced, or vault construction?

– What is the required sound rating for each SCIF perimeter?

– Are there Compartmented Areas within each SCIF? If so, how many?

– What is the required sound rating for each Compartmented Area perimeter?


Planning SCIF Security Requirements

• Continued.– Are there special procurement, shipping, and storing of SCIF

construction materials at the site required? If so, what will be required?

– Are there additional access control requirements for the construction materials and the SCIF construction area?

– Is there equipment that will be processing national security information (NSI)? Will this result in a TEMPEST requirement? If so, what will be required TEMPEST countermeasures?

• This must be determined, documented, and budgeted for during the planning process and re-validated during RFP and Design development.

• Get a copy of the preliminary construction security plan (CSP) during the planning process!


Construction Site Security

• Construction Review Board Guidance.– If the project includes a SCIF (or other secure

space), include the following:“Special costs also include monitoring during Secure Compartmented Information Facility (SCIF) [or other space type as is project specific] construction; including surveillance by Construction Security Technicians and Cleared American Guards during secure space finish work in accordance with Intelligence Community guidance. Construction monitoring is required to observe the construction to ensure that are no abnormalities that could affect and compromise the security of the SCIF.”



• Construction Surveillance Technicians (CSTs) Responsibilities– Supplement site access controls, implement screening and

inspection procedures, as well as monitor construction and personnel, when required by the AO.

– In low and medium technical threat countries, begin surveillance of non-cleared workers at the start of SCIF construction or the installation of major utilities, whichever comes first.

– In high and critical technical threat countries, begin surveillance of non-cleared workers at the start of: construction of public access or administrative areas adjacent to the SCIF; SCIF construction; or the installation of major utilities, whichever comes first.



• Cleared American Guards (CAGs) Responsibilities– Performs access-control functions at all vehicle

and pedestrian entrances to the site except as otherwise noted in the CSP.

• Screens all non-cleared workers, vehicles, and equipment entering or exiting the site.

• Denies introduction of prohibited materials, such as explosives, weapons, electronic devices, or other items as specified by the AO or designee.

• Conducts random inspections of site areas to ensure no prohibited materials have been brought on to the site. (All suspicious materials or incidents shall be brought to the attention of the SSM or CST.)


ECB 2017-03

• During the project planning stage and development of a DD1391: – The NAVFAC Asset Management (AM) Facility Planner will work

with the SIO to ensure SCIF requirements are included in the Basic Facility Requirement and Facility Planning Document.

– The SSM will send the preliminary versions of the CSP, FFC and the TEMPEST addendum to the AO via the RSSO for review.

• Upon review of the preliminary CSP, the AO will issue an approval or acknowledgment message along with the SCIF identification number (SCIF ID).

– The NAVFAC Facility Planner assigned to the project must assist the SSM in documenting the facility and site requirements necessary for the preparation of these documents

• Do not finalize a project scope or budget without an approved or acknowledged Preliminary CSP


ECB 2017-03

• Serious consideration should be given to the acquisition strategy to be used on a SCIF project. – The Design Bid Build (DBB) acquisition strategy will

enhance the security of the SCIF and allow the CSP requirements and TEMPEST countermeasures to be refined during the design development.

• DBB acquisition strategy must be used when the entire facility is a SCIF.

• DBB acquisition strategy should be the first consideration when a major portion of the facility is a SCIF or when the project is outside of the United States, its possessions or territories. – The strategy will be selected with joint concurrence of CI/OP/AQ

during the development of the 1391.


SCIF Phases

Planning

Design

Construction

Accreditation


• Project Manager, Design Manager and Designer of Record must work closely with the supported command and the AO’s representative (SSM) to validate the security requirements for the project.• The SSM must validate the preliminary CSP

requirements.– The CSP may be adjusted by the SSM due to changes in operational

requirements or the local threat. – Project Manager/Project Team must inform supported command and

SSM of the scope or budget implications

• SSM must complete and submit the updated CSP and the Preliminary Fixed Facility Checklist (FFC) with the TEMPEST addendum.

• AO sends TEMPEST Countermeasure Review (TCR) Message

Preliminary Design Phase


General Design Strategy

• PERIMETER CONSTRUCTION.– The SCIF and Compartmented Area perimeters and the

penetrations to those perimeters are the primary focus of SCIF design.

– Mitigation against forced entry, surreptitious entry, covert entry, visual surveillance, acoustic eavesdropping, and electronic emanations will drive SCIF design and construction requirements.



• TEMPEST– In general, TEMPEST countermeasures are required

when the SCIF contains equipment that will be processing National Security Information (NSI).

• However, having equipment that will be processing NSI does not necessarily imply the need to implement TEMPEST countermeasures beyond RED/BLACK separation.

• CTTA must determine for each project.

– If required TEMPEST countermeasures are omitted, the facility will not be accredited and the Supported Command will not be mission capable.



• TEMPEST (continued)– The Certified TEMPEST Technical Authority (CTTA)

has responsibility for conducting or validating TEMPEST reviews and recommending TEMPEST countermeasures.

– Failure to consult the CTTA could result in installation of unnecessary and/or expensive countermeasures or the omission of needed countermeasures.


TEMPEST Review

• The CTTA shall conduct a TEMPEST Countermeasure review for each SCIF.

• In conducting the review, the CTTA may evaluate factors such as:– Volume and sensitivity of Information processed

– Profile of Equipment used to process National Security Information (NSI)

– Location

– Inspectable space boundary Security- in-Depth

– Access control of facility

• Project Managers may need to provide site plans and building floorplans to the SSM to assist CTTA in the evaluation of inspectable space.


• SPECIFIC DESIGN STRATEGY– The specific design strategy governs how the

general design strategy varies for different levels of protection or threat severity. They may vary by the sophistication of the protective measures and the degree of protection provided. The specific design strategies reflect the degree to which assets will be left vulnerable after the protective system has been employed.

– ICS 705-1 and the IC Tech Spec for ICD/ICS 705 provide the minimum and enhanced construction requirements for SCIF

SPECIFIC DESIGN STRATEGY


Specific Design Strategy

• DESIGNERS MUST TAKE A SIX-SIDED APPROACH WHEN DEVELOPING SCIF REQUIREMENTS AND DESIGN.

– The perimeter includes all walls , floors, ceilings, doors, windows and penetrations in the perimeter such as ductwork and pipes. and conduit.



Acoustic Protection for SCIF:– Acoustical protection measures and sound masking systems are

designed to protect SCI against being inadvertently overheard by the casual passerby, not to protect against deliberate interception of audio.

– The ability of a SCIF structure to retain sound within the perimeter is rated using a descriptive value, the Sound Transmission Class (STC).

– Architectural Graphics Standards (AGS) established Sound Groups I through 4, of which Groups 3 and 4 are considered adequate for specific acoustical security requirements for SCIF construction. Per AGS:

• Sound Group 3 – (STC of 45) or better. Loud speech can be faintly heard but not understood. Normal speech is unintelligible.

• Sound Group 4 – (STC of 50) or better. Very loud sounds, such as loud singing, brass musical instruments or a radio at full volume, can be heard only faintly or not at all.



• Acoustic Protection for SCIF– The amount of sound energy reduction may vary

according to individual facility requirements. However, Sound Group ratings shall be used to describe the effectiveness of SCIF acoustical security measures afforded by various wall materials and other building components.

• SCIF Perimeter walls shall meet Sound Group 3, unless additional protection is required for amplified sound.

• Compartmented Area Walls: If compartmented areas are required within the SCIF, the dividing office walls must meet Sound Group 3, unless additional protection is required for amplified sound.

– ASTM E-90, Standard Method for Laboratory Measurement of Airborne Sound Transmission.



• Sound Attenuation

– Conference rooms, where multiple people discuss SCI, or areas where amplified audio is used shall meet Sound Group 4 performance criteria.

• This applies to the entire perimeter of the space to include walls floors, and ceiling and perimeter penetrations such as ducts, doors, and windows.



• Acoustic Protection for SCIF– When normal construction and baffling measures have

been determined to be inadequate for meeting Sound Group 3 or 4, as appropriate, sound masking shall be provided. • A sound masking system may utilize a noise generator as a noise source,

an amplifier, and speakers or transducers located on the perimeter of the SCIF.

• When required, provide sound masking devices at penetrations to the SCIF perimeter such as doors and duct penetrations.

TRANSDUCER



• ADJACENT SPACE.

– To increase Security in Depth (SID), locate other areas that require access control adjacent to or surrounding SCIF.



• VESTIBULE.– When practical, the entrance into a SCIF should incorporate a

vestibule to preclude visual observation and enhance acoustic protection.



• Walls:– Perimeter walls, floor and ceiling

shall be permanently and solidly constructed and attached to each other. Walls must go from true floor to true ceiling.

– Seal partition continuously with acoustical foam or sealant (both sides) and finished to match wall wherever it abuts another element such as the floor, ceiling, wall, column, or mullion.

– Seal wall penetrations on both sides with acoustical foam or sealant finished to match wall.

• Note: Fire Stop System maybe required for fire rated wall assemblies.

– Entire wall assembly shall be finished and painted from true floor to true ceiling.



• Wall A (Standard Wall) - Sound Group 3 (STC 45 or better)

– 3-5/8” metal or 2 x 4 wood studs

– Continuous runners (same gauge as studs) attached to true floor and true ceiling.

– Three layers of 5/8 inch foiled back Type X gypsum, one layer on the outside and two on the inside of the SCIF wall. When R-foil or foil back gypsum is employed, it shall be placed inside the SCIF between the first and second layer of gypsum board. Stagger interior seams, mount one layer vertically and one layer horizontally to ensure seams do not align.

– Provide acoustic fill between studs in a manner to prevent slippage.


Wall A Suggested Construction for Standard Wall

• Sound Group 4 wall requires four layers of 5/8” GWB and special acoustic door or vestibule.

• When required by CTTA. Foil backed GWB or a layer of approved Ultra Radiant R-Foil may be used.

• 16 gauge continuous track (top & bottom) w/ anchors at 32” o.c. maximum) –bed in continuous bead of acoustical sealant..

• Any utilities required on the perimeter wall shall be surface mounted.

Only for sound attenuation of wall: Don’t Forget Ceiling and Floors



• Wall B (Enhanced Wall) Expanded Metal Sound Group 3 (STC 45 or better):– Same as Wall A except:

• Metal studs and runners shall be 16 gauge

• Wood or Metal Studs shall be 16” on center

• Provide ¾” #9 (10 gauge) case hardened expanded metal affixed to the interior side of SCIF perimeter studs.


Wall B Suggested Construction for Expanded Metal

• CTTA recommended countermeasures (foil bracketed wallboard or R-foil shall be installed in accordance with Best Practices for Architectural Frequency (RF) Shielding.

• Any utilities required on wall shall be surface mounted.

Only for sound attenuation of wall: Don’t Forget Ceiling and Floors



• Wall C (Enhanced Wall) Perimeter walls with Fire Rated Plywood:– Wall assembly the same as Wall B

except:

– One layer of 5/8” thick “fire retardant” plywood shall be substituted for expanded metal and first interior layer of gypsum board on the interior side of the SCIF wall assembly.

– The plywood shall be continuously glued and screwed to the studs every 12 inches along the length of each stud.

• Wall C with Fire Rated Plywood is usually preferred over Expanded Metal for enhanced walls to mitigate against surreptitious entry.


Wall C Suggested Construction for Plywood (Fire Rated)Only for sound attenuation of wall: Don’t Forget Ceiling and Floors

• CTTA recommended countermeasures (foil backed wallboard or R-foil shall be installed in accordance with Best Practices for Architectural Frequency (RF) Shielding.

• Any utilities required on wall shall be surface mounted.



• GWB

– The interior two layers of wallboard shall be mounted so that the seams do not align (i.e., stagger joints).

• Painting of wall assembly

– In some cases, the SSM may required the paint above the false to be painted with a different color.

• Existing walls

– When an existing wall is constructed with substantial material (e.g., brick, concrete, cinderblock, etc.) equal to meet the perimeter wall construction standards, the existing wall may be utilized to satisfy the specification.

• CTTA recommended countermeasures (foil backed GWB or layer of approved Ultra Radiant R-Foil)

– Installed in accordance with (IAW) best practices for architectural Radio Frequency (RF) shielding. Foil shall be located between the layer of plywood and GWB.



• Minimum requirements for Vault walls:– Reinforced Concrete Construction

• Walls, floor, and ceiling will be a minimum thickness of eight inches of reinforced concrete.

– GSA-approved modular vaults• Federal Specification FF-V-2737

– Steel-lined Construction• Where unique structural circumstances do not

permit construction of a concrete vault

• Minimum requirements for doors– GSA-approved Class 5 or Class 8 vault door

– Within the US, a Class 6 vault door is acceptable


Minimum SCIF Construction Requirements

CLASSIFICATION WALL CONSTRUCTION1 IDS3 ACS4 DURESS

INS

IDE

UN

ITE

D

ST

AT

ES

Open Storage without SID5 Wall B - Enhanced Wall (Expanded Metal)2

Wall C - Enhanced Wall (Fire Retardant Plywood)2YES YES NO

Open Storage with SID5 Wall A - Standard Wall2 YES YES NO

Closed Storage Wall A - Standard Wall2 YES YES NO

Continuous Operations Wall A - Standard Wall2 YES YES NO

Secure Working Area (SWA) Wall A - Standard Wall2 YES YES NO

OU

TS

IDE

UN

ITE

D S

TA

TE

S

SETL Cat I

Open Storage Vault 2 YES YES RECOMMENDED

Closed StorageWall B - Enhanced Wall (Expanded Metal)2


Continuous OperationWall B - Enhanced Wall (expanded Metal)2

Wall C - Enhanced Wall (Fire Retardant Plywood)2YES YES YES

SETL Cat II & III

Open StorageWall B - Enhanced Wall (expanded Metal)2

Wall C - Enhanced Wall (Fire Retardant Plywood)2YES YES RECOMMENDED

Closed StorageWall B - Enhanced Wall (Expanded Metal)2


Continuous Operation Wall A - Standard Wall2 YES YES RECOMMENDED

Secure Working Area (SWA) Wall A - Standard Wall2 YES YES RECOMMENDED

1. Table indicates the minimum wall construction, Accrediting Official shall determine construction requirements based on Risk Assessment.2. Refer to IC Tech Spec-for ICD/ICS 705 for wall construction definitions and details. Include Radio Frequency (shielding) protection and sound

attenuation as required.3. IDS - Intrusion Detection System4. ACS - Access Control System: Automated ACS is not required.5. SID - Security In Depth



• Utilities such as power, Telecommunications, signal, or plumbing on the interior of a perimeter/compartmented wall treated for acoustic or RF shall be surface mounted or a furred out wall shall be constructed for routing of the utilities.

– If the construction of an additional wall is used, gypsum board may be 3/8 inch and shall terminate above the false ceiling.

– No recessed fire extinguisher cabinets on walls treated for acoustic or RF.





• Vents, ducts, conduits, pipes, or anything that penetrate the SCIF perimeter present a vulnerability that needs to be addressed.

• Penetrations of SCIF perimeter must be kept to a minimum.

• HVAC ducts: Provide a nonconductive break (flex connection) using material appropriate for the climate, for a 2- to 6-inch section of the duct adjacent to the duct penetration through the SCIF perimeter wall (inside wall).



• All metallic penetrations through SCIF walls may be considered carriers of compromising emanations (CE) and require TEMPEST countermeasures. Unless directed otherwise by the CTTA:– Metallic conduit: install dielectric union adjacent to the pipe

penetration through the SCIF perimeter wall (inside wall), or ground the conduit using a no. 4 wire (0.2043-diameter copper wire) to the building grounding system.

– Metallic sprinkler (fire suppression) pipes: provide a UL Listed dielectric union inside the SCIF perimeter adjacent to the penetration, or ground using a no. 4 wire (0.2043-diameter copper wire) to the building grounding system.

– Mechanical system refrigerant lines: ground the line using a no. 4 wire (0.2043-diameter copper wire) to the building grounding system.


• Vents and Ducts

– All vents and ducts shall be protected to meet the acoustic requirements of the SCIF.




• VENT, PIPE, AND DUCT OPENINGS :

– All vents or duct openings exceeding 96 square inches that penetrate the perimeter of a SCIF shall be protected with permanently affixed bars, grills, metal sound baffles or waveguides.

• If one dimension of the penetration measures less than 6 inches, bars or grills are not required.



• Provide an accessible 12” x 12” access panel in the bottom within the perimeter of the SCIF to allow visual inspection of the vent or duct (greater than 96 sq. in.) – If the area outside the SCIF is controlled (SECRET or equivalent

proprietary space), the inspection port may be installed outside the perimeter of the SCIF, and be secured with a GSA approved high security lock.

INSPECTION PORTMANBARS



– Seal wall penetrations on both sides with acoustical foam or sealant finished to match wall.

• Note: Through Penetration Fire Stop System maybe required for fire rated wall assemblies.



• Utilities (power and signal) should enter the SCIF at a single point.

– All utility penetrations must be sealed to mitigate acoustic emanations and covert entry.

– Spare conduits are allowed for future expansion provided the expansion conduit is filled with acoustic fill and capped.

• Utilities servicing areas other than SCIF shall not transit the SCIF Perimeter unless mitigation is provided.



• SCIF PERIMETER DOORS: Shall be equipped with an automatic door closer with controls to prevent unauthorized entry.

– Perimeter doors with day access controls for SCIF residents shall be dead bolted at night or meet the primary entrance door requirements.

– Hinge pins on SCIF doors that open into an uncontrolled area shall be modified to prevent removal of the door, e.g., welded, set screws, etc.



• SCIF PERIMETER DOORS (continued): –SCIF doors and frame assemblies shall meet acoustic

requirements (vestibule of two doors may be used) unless declared a non-discussion area.

– A steel door shall be used when RF shielding is required.

– Perimeter doors shall comply with U.S. National Fire, and the Architectural Barriers Act Accessibility Guidelines (ABAG) .

– All perimeter doors shall be alarmed.



• Sound Attenuation and Forced Entry govern door material and door hardware.

• From ICS guidelines:– Wood doors shall have:

• 1 ¾ inch thick solid wood core (wood stave)

• Acoustic seals

• Frames with a sill designed for the acoustic system used in the door.

– Steel doors shall have:

• 1 ¾ inch thick - face steel equal to 18 gauge

• Acoustic seals and sweep

• Hinges reinforced to 7 gauge

• Door closure reinforced to 12 gauge

• Lock area predrilled and/or reinforced to 10 gauge



• 1 ¾ inch thick - face steel equal to 18 gauge over wood or composite materials will not meet STC 45 rating.

– 1 ¾” Solid core door – factory sealed

• Best STC obtainable = 38 STC

– 1 ¾” Solid core door – field assembly


– 2” Solid core door – factory sealed


• Unsealed gaps and clearances in door assemblies cancel the soundproofing qualities of acoustical doors. A 1% opening around a door will allow up to 50% of the sound to pass through.

– Consider this: A 1/8-inch opening around all four sides of a door will reduce the effective rating of an STC 52 door down to an STC 21.

• In order to obtain a true STC 45 or 50 rated door specify an acoustical assembly to include door, seals, hinges, and threshold.



• PRIMARY ENTRANCE TO SCIF– Only one primary SCIF entrance where visitor control is conducted.

– Should incorporate a vestibule to preclude visual observation and enhance acoustic protection.

– Equipped with an approved automated access control device.

– Equipped with a GSA-approved pedestrian door deadbolt meeting Federal Specification FF-L- 2890 and combination lock meeting Federal Specification FF-L 2740A. Note: FF-L-2890 requires FF-L 2740A Combination lock.

• DO NOT SPECIFY AN X-09 or CDX-09 LOCKS!

– THESE ARE TRADEMARKS. SPECIFY HARDWARE TO MEET FEDERAL SPECIFICATION FF-L-2890

– Equipped with a key override in the event of a malfunction or loss of power to the automated access control device.



• ROLL-UP DOORS: Must only be located in an area of the SCIF that is a non discussion area due to the inability to treat for acoustics. Roll-up doors shall be

– 18 gauge or greater and

– Secured with dead bolts on each side of the door.

• DOUBLE DOORS: Because of acoustical concerns, double doors are not preferred. If double doors are used:

– One side shall be secured top and bottom with deadbolts

– Have an astragal strip attached to the either door to prevent observation of the SCIF through the opening between the doors.

– Alarm each door (have a balanced magnetic switch).

– Install a GSA approved lock on the moving door.



• EMERGENCY EXIT DOORS: Must meet perimeter door requirements and:

– Have no exterior hardware

– Secured with deadlocking panic hardware

– Alarmed 24/7 and equipped with a local annunciation

– Delayed-egress may be permitted with NFPA 101 compliance.



• WINDOWS:

– No windows are preferred. Therefore, minimize or eliminate windows in the SCIF, especially on the ground floor.

– Windows must be non-opening.

– Windows must provide visual and acoustic protection

– Provide RF protection when required.

– All windows less than 18 feet above the ground or from the nearest platform such as canopy or mechanical equipment which affords access to the window (measured from the bottom of the window) shall:

• Meet the standards of the SCIF perimeter

• Be protected against forced entry.

• Be alarmed



• Flashing or Rotating Light: – Per DoDM 5105.21 Vol 2 Department of Defense

Sensitive Compartmented Information Administrative Security Manual:

• SCIF personnel must be informed when non-SCI-indoctrinated personnel have entered and departed the SCIF. This may be accomplished either verbally or through visual notification methods.

• When used, place lights to ensure visual observation by SCIF personnel and place controls inside the SCIF at each door including emergency exit doors.



• Telecommunication Cabling System: – Coordinate requirements with Supported Command,

SSM and service provider.

– Cabling, patch panels, connector blocks, work area outlets, and cable connectors must be color coded to distinguish classification level or cabling must be clearly marked to indicate their classification level.

– Cabling must enter a SCIF at a single location and be identified and labeled with its purpose and destination at the point of entry.

– Backbone and horizontal cabling may differ depending on network classification, service provider, and TEMPEST requirement.



• Fire Alarm and Mass Notification System (MNS)• The introduction of electronic systems that have components

outside the SCIF should be avoided. Speakers or other transducers, which are part of a system that is not wholly contained in the SCIF, are sometimes required to be in the SCIF for Life Safety and Antiterrorism Standards. In such instances, the system can be introduced if protected as follows:

• TEMPEST concerns may require electronic isolation, validate requirements with CTTA.

• All incoming wiring must penetrate the SCIF perimeter at one point.

• In systems that require notification only, the system must have a high gain buffer amplifier.

• In systems that require two-way communication, the system must have electronic isolation. SCIF occupants should be alerted when the system is activated.

• When required, provide all electronic isolation components within the SCIF as near to the point of SCIF penetration as possible.



• Intrusion Detection System (IDS)– Requirements for IDS for the protection of SCI are

contained in IC Tech Spec-for ICD/ICS 705

– Design criteria for IDS is contained in Unified Facilities Criteria (UFC) 4-021-02, Electronic Security Systems available on the Whole Building Design Guide website.

– Guidance on coordination for Electronic Security System (ESS) equipment procurement and installation is contained in BMS B-1.3, Operational Outfitting Considerations Available on the NAVFAC Portal



• Intrusion Detection System– IDS installation, related components, and

monitoring stations shall comply with Underwriters Laboratories (UL) 2050 Extent 3 standards.

– NOTE: Systems developed and used exclusively by the U.S. Government do not require UL certification but shall comply with UL 2050 Extent 3 standards for installation.

– UL 2050 is the National Industrial Security Systems standard.

• UL 2050 materials are restricted and only distributed to those demonstrating relevant national industrial security involvement.



• UL 2050 Extent 3 standards for installation– UL 2050 implements UL 681, Installation and Classification

of Burglar and Holdup Alarm Systems for alarm system installation.

– UL 681 is available to NAVFAC personnel through the Information Handling System (IHS).

– “Non-Government Standards (Limited Access)” link is on the DoD page under Related Links on Whole Building Design Guide Website:



• Extent Number 3 protection shall consist of any of the following methods. An alarm system can utilize a single method or any combination of methods:

– Perimeter Only – Full protection of all accessible openings.

– Motion Detection – Contact protection of all accessible doors leading from the premises and a system of intrusion detection in all sections of each enclosed area that has exterior openings so as to detect movement.

– Sound Detection – Contact protection of all accessible movable openings leading from the premises and a sound detection system in all sections of each enclosed area that has exterior openings

– d) Channels – Contact protection of all movable accessible openings leading from the premises and a system of invisible beams or motion detectors arranged so that the minimum length of the beams or motion detection is equal to the longest dimension of each enclosed area that has an exterior opening. The channels shall be arranged to provide the most effective coverage of the premises. A channel of protection along one wall, with or without openings, does not meet the intent of this requirement.


• Intrusion Detection System Requirements:– Protect all Interior areas of a SCIF through which reasonable

access could be gained, including walls common to areas not protected at the SCI level, unless continuously occupied.

• These adjacent areas do not need IDS protection if the AO determines that a facility’s security programs consist of layered and complementary controls sufficient to deter and detect unauthorized entry and movement.

– IDS shall be separate from, and independent of, fire, smoke, radon, water, and other systems.

– Doors without access control systems and that are not under constant visual observation shall be continuously monitored by the IDS.

– Emergency exit doors shall be alarmed and monitored 24 hours a day.

– Perimeter doors shall be protected by an HSS and a motion sensor.




• Intrusion Detection System Requirements– If a monitoring station is responsible for more than one

IDS, there must be an audible and visible annunciation for each IDS.

– If the IDS incorporates an access control system (ACS), notifications from the access control system must be subordinate in priority to IDS alarms.

– Motion detection sensors are not required above false ceilings or below false floors. However, these detectors may be required by the AO for critical and high threat facilities outside the U.S.



• Intrusion Detection System Sensors– Motion Detection Sensors

• UL 639 listed

• Dual-Technology Sensors may be used when authorized and each technology transmits alarm conditions independent of the other technology.

– Point Sensors• UL 634 high security switches (HSS) level II.

– Level II rated switches include Balanced Magnetic Switches (BMS) that pass additional performance testing.


• Intrusion Detection System Requirements:– Premise Control Unit (PCU): Must be located within the SCIF

• PCU is a term used to describe a specific IDS control panel.

• Only SCIF personnel may initiate changes in access modes. Operation of the access/secure mode shall be restricted by using a device or procedure that validates authorized use.

– Tamper protection: Tamper protection for IDS can be physical protection, line supervision, encryption, and/or tamper alarming of enclosures and components.

• Sensor Cabling Security: Cabling between the sensors and the PCU shall be dedicated to the IDE and contained within the SCIF. If the wiring cannot be contained within the SCIF, such cabling shall be encrypted and protected from tamper.

• External Transmission Line Security: When any IDS transmission line leaves a SCIF, line security shall be employed.

– Refer to UFC 4-021-01, Electronic Security Systems for more on system design including tamper protection.



• IDS Electrical Power– Electrical Power:

• In the event of primary power failure, the system shall automatically transfer to an emergency electrical power source without causing alarm activation.

– Emergency Backup Electrical Power.

• Twenty four hours of uninterruptible backup power is required and may be provided by an uninterruptible power supply (UPS), batteries or generators, or any combination.

– Electrical Power Source and Failure Indication.

• An audible or visual indicator at the PCU shall provide an indication of the primary or backup electrical power source in use.

• Equipment at the monitoring station shall visibly and audibly indicate a failure in a power source or a change in power source.

• The individual system that failed or changed shall be indicated at the PCU or monitoring station as directed by the AO.




• Access Control Systems– Access is restricted to authorized

personnel. Access control methods must be approved by the Accrediting Official (AO).

– Access control methods may include anyone of the following but are not approved for securing SCIF entrances when the SCIF is unoccupied:

– Electromechanical, mechanical or personal recognition (in small facilities and/or where there is a single monitored entrance).

– Automated access control systems using at least two technologies (badge, PIN, biometric, etc.)

– Default is card reader compatible with CAC with Keypad





• Based on the regulatory requirements for the projection of SCI, the standard practice is: – Focus ESS protection at the perimeter of the secure spaces.

– Every perimeter door will have a Level II high security switch and a motion sensor.

– Any window below 18' will be protected with a level II high security switch (if operable) and a be protected with a motion sensor.

– In addition, strategically place motion sensors to protect the interior areas through which reasonable access could be gained, including walls common to areas can be protected by a motion sensor.

• This does not mean 100% coverage.

• Protection can be accomplished by placement directly over the protected assets or in hallways or other restricted passage ways leading to classified/sensitive assets



• IDS Installation, Testing, and Approval– For Installations inside the United States:

• Performed by U.S. companies using U.S. citizens.

– For installations outside the U.S.

• As documented in the CSP, U.S. TOP SECRET-cleared personnel or U.S. SECRET-cleared personnel escorted by SCIF personnel must perform installation and testing of Intrusion Detection System (IDS)



• IDS Installation, Testing, and Approval– IDS installation plans shall be restricted as

documented in the CSP.

– IDS Approval. • The AO will approve IDS proposals and plans prior to installation

as part of the construction approval process.

• Final system acceptance testing shall be included as part of the SCIF accreditation package.


Requirements for TEMPEST

• National Security Telecommunications and Information System Security Instruction (NSTISSI) No. 7000, “TEMPEST Countermeasures for Facilities,” establishes guidelines and procedures that shall be used by departments and agencies to determine the applicable TEMPEST countermeasures for national security systems.– In general, TEMPEST countermeasures apply when the SCIF

contains equipment that will be processing national security information (NSI).

• Note: Having equipment that will be processing NSI does not necessarily imply the need to implement TEMPEST countermeasures.



• The Certified TEMPEST Technical Authority (CTTA) has responsibility for conducting or validating TEMPEST reviews and recommending TEMPEST countermeasures, including RED/BLACK installation measures. – Failure to consult the CTTA could result in installation of

unnecessary and/or expensive countermeasures or the omission of needed countermeasures.

• Request the SSM get the CTTA involved during the planning phase!– SSM must submit the TEMPEST Addendum with the FCC.

– TEMPEST Countermeasures are documented in the TEMPEST Countermeasure review (TCR) and approved by the AO.



• The CTTA will use a risk based approach outlined in NSTISSI No. 7000 to determine applicable countermeasures for each SCIF.

• In conducting TEMPEST countermeasure review, the CTTA will evaluate the following factors:– Location

– Inspectable space boundary

– Volume and sensitivity of Information processed

– Access control of facility

– Profile of Equipment used to process NSI

• Project Managers may need to provide the SSM site plans and building floorplans to assist CTTA in the evaluation of inspectable space.



• In General, any FCC Class B approved equipment can be used in a facility that meets 25 db of facility attenuation (e.g., R-foil or foil backed gypsum) or has adequate “inspectable space.”– Inspectable space: The three-

dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and/or remove a potential TEMPEST exploitation exists.

– The CTTA shall determine the Inspectable Space for a facility.


• RED/BLACK concept:– All equipment, wirelines, components, and systems that process

NSI are considered RED.

– All equipment, wirelines, components, and systems that process encrypted NSI and non-NSI are considered BLACK.

– The RED/BLACK concept is utilized to establish minimum guidance for physical separation to decrease the probability that electromagnetic emissions from RED devices might couple to BLACK systems.

– Red/Black line separation guidelines

• 39 inches if neither line is in ferrous conduit

• 9 inches if one line is in ferrous conduit

• 3 inches if both lines are in ferrous conduit

• 0 inches if one line is optical fiber

Possible TEMPEST Countermeasures



• Distribution Equipment (Telecommunication Rooms/Closets). – Distribution equipment must be designed with separate RED and BLACK

connector blocks to prevent improper connection of RED and BLACK lines.

• Protected Distribution Systems (PDS). – A signal distribution system containing unencrypted NSI which enters an area of

lesser classification, an unclassified area or uncontrolled (public) area must be protected according to the requirements of the current PDS standard.

– For a SCIF, that means a signal distribution system containing unencrypted NSI that leaves the SCIF.

• Signal Line Isolators and Filters– BLACK lines and other electrically conductive materials that egress the

inspectable space are potential carriers of Compromising Emanations (CE) that can inadvertently couple to the Red lines. Various signal line isolation techniques can be used to protect the signal line, the distribution system or other fortuitous conductors from conducting compromising signals beyond secure areas.

– Signal line isolation should only be considered if the minimum separation recommendations cannot be met.



• RF mitigation shall be provided at the direction of the CTTA when the SCIF utilizes electronic processing and does not provide adequate RF attenuation at the inspectable space boundary.

– Provide foil backed GWB or R-Foil in accordance with Best Practices Guideline for Architectural Radio Frequency Shielding.

– The use of R-foil or aluminum foil backed gypsum is required if the facility does not provide adequate RF attenuation at the inspectable space boundary and recommended for all other applications.

– When R-foil is employed it shall be placed inside the SCIF between the first and second layer of gypsum board.

– Don’t forget ceiling, floor, penetrations, and connections


SCIF Phases

Planning

Design

Construction

Accreditation


ECB 2017-03

• For DBB projects:

– Do not award a construction contract without AO approval of the Final CSP.

• For DB projects:

– Do not start onsite construction activities (excluding mobilization, demolition, clearing and grubbing) without AO approval of the Final CSP.


• SSM:– Validate SCIF Final construction personnel requirements for work

including:- General SCIF Construction- Finish work- Outfitting (such as Furniture, Fixtures and Equipment (FF&E) and ESS

– Validate SCIF Final CSP material purchasing, inspection, shipping, and secure storage area (SSA) requirements including FF&E and ESS.

– Validate SCIF Final CSP area site access controls for personnel, materials, and vehicles

– Validate Construction Surveillance Technician (CST) requirements in SCIF Final CSP

– Validate Cleared American Guards (CAG) requirements in SCIF Final CSP

– Coordinate all changes with Construction Manager for cost and schedule implications.

SCIF Accreditation Cycle


• Construction Manager: – If any updates are made to the CSP, inform supported command

and SSM of the scope or budget implications.

– Conduct Design-Build (DB) Post Award Kickoff (PAK) or Design-Bid-Build (DBB) Pre-Construction Conference (PreCon). SSM must attend.

– Forward approved construction submittals to SSM for inclusion in FFC.

– Conduct the initial NAVFAC Red Zone (NRZ) meeting. Include inspections and acceptance testing in the critical activities

• Coordinate preliminary walkthrough with the SSM prior to substantial completion of space.

• Conduct periodic inspections of area to document and validate construction requirements

• Conduct final inspections and acceptance testing with the SSM in accordance with the NRZ critical activities.



• ISC 705-2 provides accreditation policy requirements. – SClF inspections and evaluations are performed by the AO, or

designee (SSM), prior to initial accreditation.

– The accreditation includes a review of documents relating to SClF design and construction and include a Fixed Facility Checklist (FFC).

• To facilitate this process, Project/Construction managers shall provide the AO/SSM site plans, building floorplans, IDS plans, and information related to perimeter and compartment area wall construction, doors, locks, deadbolts, IDS, telecommunication systems, acoustical protection, and TEMPEST countermeasure.



• Coordinate preliminary walkthrough with the accreditation official prior to substantial completion of SCIF space.

• Assemble required documents for accreditation process. (Requirements vary depending on project)

–Drawings:• Civil Site Plan

• Architectural

– Floor and Reflective Ceiling Plans

– Wall sections (floor to ceiling)

– Floor and Ceiling section

– Door Schedule

– Door head, jamb, and threshold details

– Window schedule and details



– Drawings (continued):• Fire Protection

– Sprinkler piping including penetration details– Fire Alarm system– Mass Notification System

• Mechanical– HVAC plans, sections and details of SCIF penetrations, ductwork details

sheets– Plumbing floor plans, detail for perimeter penetrations

• Electrical– Site plan– Lighting, Power, Telecommunications, Electronic Security System (ESS)

plans» Plans must indicate device and panel location to include strobe lights

– One-line diagrams for Power, Telecommunications, and ESS– ESS Door wiring details– Detail of perimeter penetrations



– Submittals

• Doors

• Door Hardware (locks, closers, and hinges)

• Acoustical ratings

• Electronic Security Systems

• Sound masking equipment

• As-Built drawings



• Conduct periodic inspections of SCIF area to document and validate:

– Standard or enhanced wall construction• Acoustic batting installation

• R-foil or aluminum foil backed gypsum installation (TEMPEST requirement)

• Gypsum wallboard installation

– Perimeter wall• True Floor to True Ceiling

• Top and bottom sealed (both sides) with acoustical foam or sealant finished to match wall

• Finished and painted from true floor to true ceiling

– Wall Penetrations• Sealed (both sides) with acoustical foam or sealant finished to match wall

– Metallic penetrations at perimeter (non-conductive break (e.g., canvas, rubber) installed at the interior perimeter (TEMPEST requirement).

– Man-bar installation

– Inspection ports



• Photographic Construction Surveillance Record may be accomplished by SSM or approved personnel to expedite the accreditation process.

• It is important to capture areas which will be covered up during construction. Pictures shall include the SCIF and CA perimeters and should capture:

– Wall construction

• Stud walls

• Acoustic installation

• Enhanced wall construction (9 gauge expanded metal)

• R-foil or aluminum foil backed gypsum installation (TEMPEST)

– Wall finishes (true floor to true ceiling)

– Perimeter penetrations

– Duct construction including inspection ports and acoustic baffle

– Man-bar construction

– Sound masking devices



Take Away

• As a construction agent for the Department of Defense, we must understand the SCIF requirements and ensure that the SCIF we plan, design, and construct meet the policy based accreditation requirements.– If a SCIF cannot be accredited, it cannot be operational…

and the supported command is “not mission capable!”

• Be Proactive: Find out who is the designated Site Security Manager (SSM)– Get them involved early in the project planning

– Keep them involved throughout the project.


Remember

• SSM is responsible for all security requirements for the project

– Get them involved during the planning phase and keep them involved through construction.

• Get the preliminary CSP during the planning phase.

– Know the construction security, material purchase/storage and personnel requirements

• Get the final “approved” CSP during design phase

• Focus on perimeter and its penetrations when designing

• Focus on the perimeter and its penetrations when reviewing the design

• Focus on the perimeter and the penetrations to the perimeter when constructing

• TEMPEST, TEMPEST, TEMPEST



Definitions

Accrediting Official (AO)– Person designated by the Cognizant Security Authority (CSA) that is responsible for all aspects of SCIF

management and operations to include security policy implementation and oversight.

Black LAN:– A term applied to equipment, cables, or fiber that processes or carries only unclassified and/or encrypted

information.

Certified TEMPEST Technical Authority (CTTA)– U.S. Government employee who has met established certification requirements in accordance with

NSTISSC-approved criteria and has been appointed by a U.S. Government department or agency.

Closed Storage:– The storage of SCI material in properly secured GSA approved security containers within an accredited

SCIF.

Cognizant Security Authorities (CSA):– The single Principal designated by a SOIC (see definition of SOIC) to serve as the responsible official for

all aspects of security program management with respect to the protection of intelligence sources and methods, under SOIC responsibility.

Compartmented Area (CA) – The a room, a set of rooms, or an area that provides controlled separation between compartments within a

SCIF.

Construction Security Plan (CSP) – A plan developed by the Site Security Manager (SSM) and approved by the CSA, which outlines security

measures to be followed to ensure security of the construction site and compliance with the SCIF construction requirements.


Definitions

Open Storage:– The storage of SCI material within a SCIF in any configuration other than within GSA approved security

containers.

Red LAN:– A term applied to equipment, cables, or fiber that processes or carries unencrypted National Security

Information (NSI) that requires protection during electrical/electronic processing.

Secure Working Area:– An accredited SCIF used for handling, discussing and/or processing of SCI, but where SCI will not be stored.

Security Environment Threat List (SETL): Classified List managed by the Office of Intelligence and Threat Analysis (ITA). The SETL reflects four categories of security threat, including political violence and crime for U.S. missions overseas.

Security Officer (SSO)/Site Security Manager (SSM):– Person designated by the Cognizant Security Authority (CSA) that is responsible for all aspects of SCIF

management and operations to include security policy implementation and oversight.

Sensitive Compartmented Information (SCI):– Classified information concerning or derived from intelligence sources, methods, or analytical processes,

which is required to be handled within formal access control systems established by the Director of Central Intelligence.

Sensitive Compartmented Information Facility (SCIF):– Accredited area, room, group of rooms, buildings, or installation where SCI may be stored, used, discussed,

and/or processed.


Definitions

Sound Transmission Class (STC): – The ability of a SCIF structure to retain sound within the perimeter is rated using a descriptive value.

SOIC: – Senior Officials of the Intelligence Community

Special Access Program Facility (SAPF).– An accredited area, room, group of rooms, building, or installation where SAP materials may be stored, used,

discussed, manufactured, or electronically processed. When required, SAPF provide an operational capability that is critical to the supported command’s mission

TEMPEST:– TEMPEST refers to the investigation, study, and control of Compromising Emanations of National Security

Information (NSI) from telecommunications and information processing systems.

Vault: – A room(s) used for the storing, handling, discussing, and/or processing of SCI and constructed to afford

maximum protection against unauthorized entry.